Snort mailing list archives
Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x)
From: 文浩 via Snort-devel <snort-devel () lists snort org>
Date: Mon, 30 Aug 2021 17:07:51 +0800 (CST)
the ndpi, to integrating the ndpi into Snort as a plugin. Now that you have that idea why don't you integrate ndpi into VPP ? At 2021-08-15 22:54:16, "mike tancsa" <mike () sentex net> wrote:
On 8/13/2021 10:46 AM, Shravan Rangarajuvenkata (shrarang) wrote:I think I added the port to the right location (content_group_port_services_2pac_old.lua) -- OpenVPN {353, 1194, 6}, {353, 1194, 17}, {353, 11600, 17}, />>> This looks good to me. After making this change, did you do one of the following:/ * /Issue appid.reload_detectors command/ * /Restart snort/ /One of the above needs to be done for the change to take effect. If you have already done this and you still don’t see OpenVPN getting detected, please send us a pcap and we will investigate it./Thanks for the reply. Yes, I did indeed restart snort but no luck. I will generate a pcap and send it in another email.Also, is it all just port based, or does the AppID engine have enough smarts to recognize the protocol if its running on an arbitrary port ? />>> AppId does Deep Packet Inspection (DPI). It can detect applications running on non-standard ports. However, for an application where we don’t have unique patterns to identify it, we sometimes resort to port-based detection. OpenVPN is one such application./I was also playing around with ndpi (based on opendpi) via the ndpi reader. (https://www.ntop.org/products/deep-packet-inspection/ndpi/) and it seems to have really excellent application layer coverage. Is there any thought as to integrating this into Snort as a plugin somehow ? ---Mike _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Costas Kleopa (ckleopa) via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)